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INTEGRITY AND SECURITY OF PERSONAL DATA 


Some rather simple words in existing and proposed privacy leg- 
islation—words such as “accuracy, “integrity,” and “security ’— 
will pose a challenge to many data processing executives. The 
challenge already exists for U.S. federal agencies; it will probably 
confront the remaining public and the private sectors in the U.S. 
in the next few years. Further, many other computer-using coun- 
tries have adopted or are considering privacy laws. The challenge 
that comes from these privacy laws occurs because these words 
cannot be put into practice as easily as might first be imagined. 
Moreover, if they are not put into practice, the threat of both civil 
and criminal penalties arises. This is not meant to be a scare dis- 
cussion of privacy legislation. Rather, we are just pointing out 
what the privacy legislation says and what the consequent imple- 
mentation problems appear to be. Based on what is shaping up, 


you may want to revise your data processing plans. 


W. will quote some selected portions of the 
Privacy Act of 1974 (Reference 1), which applies 
to agencies of the U.S. federal government and to 
private contractors acting as agents for those 
agencies: | 


PORTIONS OF PRIVACY ACT OF 1974 


1. The opportunities for an individual to secure employment, 
insurance, and credit, and his right to due process and 
other legal protections are endangered by the misuse of 
certain information systems (preamble). 

2. Federal agencies (will) ... be subject to civil suit for any 
damages which occur as a result of willful or intentional 
action which violates any individual’s rights under this Act 
(preamble). 

3. Each agency ... shall ... establish appropriate adminis- 
trative, technical, and physical safeguards to insure the se- 
curity and confidentiality of records and to protect against 
any anticipated threats or hazards to their security or in- 
tegrity which could result in substantial harm, embarrass- 


ment, inconvenience, or unfairness to any individual on 
whom information is maintained. 


. Whenever any agency . . . fails to maintain any record con- 


ceming any individual with such accuracy, relevance, 
timeliness, and completeness as is necessary to insure fair- 
ness in any determination relating to the qualifications, 
character, rights, or opportunities of, or benefits to the in- 
dividual that may be made on the basis of such record, and 
consequently a determination is made which is adverse to 
the individual . . . the individual may bring a civil action 
against the agency, and the district courts of the United 
States shall have jurisdiction . . . 


. Any officer or employee of an agency who by virtue of his 


employment or official position, has possession of, or access 
to, agency records which contain individually identifiable 
information the disclosure of which is prohibited by this 
section or by rules or regulations established hereunder, 
and who knowing that the disclosure of the specific mate- 
rial is so prohibited, willfully discloses the material in any 
manner to any person or agency not entitled to receive it, 
shall be guilty of a misdemeanor and fined not more than 
$5,000. 


Reproduction prohibited; copying or photocopying this report is a violation of the copyright law; orders for 


copies filled promptly; prices listed on last page. 


The message of these quotes is clear. The 
agencies of the U.S. federal government are re- 
sponsible for effective management of their data 
systems, including the integrity and security of 
the personal data in their files. They are to take 
appropriate steps to assure the integrity and the 
security of the records. Any willful or intentional 
action which results in harm to an individual, un- 
der this Act, is subject to a civil suit. Any willful 
but unauthorized disclosure of personal informa- 
tion can lead to a criminal penalty of a fine not 
exceeding $5,000. It is not clear whether a willful 
decision not to institute a security measure, which 
later leads to the unauthorized disclosure of per- 
sonal information, will make the decision maker 
subject to this criminal penalty. 

This is all very well, you say, but it only applies 
to agencies of the U.S. federal government. What 
does it have to do with me? 

Well, the U.S. House of Representatives is con- 
sidering H.R. 1984 (Reference 2), which would 
extend privacy legislation to state and local gov- 
emment units and to all private organizations. 
There is no telling if and when this legislation 
might be passed, or the form it might take before 
passage. Probably the Congress will wait for a 
year or two of experience under the Privacy Act 
of 1974 before deciding on legislation for the pri- 
vate sector; Representatives Goldwater and Koch 
say they will not push their bill (H.R. 1984) for 
awhile. But as H.R. 1984 is currently drafted, it 
has words that are quite similar to those in the Pri- 
vacy Act of 1974. It calls for maintaining personal 
information with the accuracy, completeness, 
timeliness, and pertinence necessary to assure 
fairness in determinations. It calls for establishing 
categories for maintaining personal information 
to operate in conjunction with confidentiality and 
access controls. It imposes civil liability for unfair 
personal information practices, with damages to 
include actual damages, punitive damages where 
appropriate, and the costs of bringing the action. 
And for willful violations in the handling of per- 
sonal information, criminal penalties can be im- 
posed, of a fine not to exceed $10,000 for each 
instance or imprisonment of not more than five 
years, or both. And then there is a proposed fed- 
eral privacy board, with broad-ranging regu- 
latory powers. 

We suspect that somewhat similar laws will be 
drafted and enacted in other computer-using 
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countries. There seems to be a public fear of the 
computer, as representing a threat to privacy, 
even though the computer can be an ally in the 
protection of privacy. 

So the challenge of meeting the integrity and 
security requirements is already here for agencies 
of the U.S. federal government. That same chal- 
lenge may not be many years away for the rest of 
us. 


Integrity of data 

The Privacy Act of 1974 calls for federal agen- 
cies to establish appropriate safeguards to protect 
against any anticipated threats to the security and 
integrity of data records (which could result in 
substantial harm, etc. to the data subjects). H.R. 
1984 says that an organization that collects, main- 
tains, uses, or disseminates personal information 
should assure its reliability. 

What is integrity of data? We have seen a vari- 
ety of definitions, some of which confuse it or 
overlap it with security of data. As we use the 
term, it means undistorted by error—the condi- 
tion of representing what it purports to represent. 

As used in the context of data systems, integrity 
is somewhat different from accuracy—although 
our dictionary uses the synonym “truthful” for 
both. Accuracy is considered to mean: conform- 
ing exactly to the truth. Integrity is considered to 
mean: the data system does not inject error into 
the data. If erroneous data is entered into the sys- 
tem, the system acts with integrity if it does not 
inject more error into the data. 

(But H.R. 1984 says that an organization must 
assure the reliability of the personal data—and 
synonyms for reliability are trustworthy and true. 
So the burden may be on the organization to see 
that it does not enter erroneous personal data into 
its systems.) 

Most computer users already are taking steps to 
insure the integrity of data—that is, inhibiting the 
injection of error during initial recording, trans- 
mission, processing and storage, as well as during 
recovery from system failure. After all, errors in 
the data lead to errors of output, waste, wrong de- 
cisions, and such. But errors can never be com- 
pletely eliminated, and every organization has 
found its own error tolerance level. 

The big question is, of course, whether that er- 


~ror tolerance level—which has apparently been 


satisfactory for operational purposes—will be 


good enough to meet the demands of the privacy 
legislation. 


Security of data 


Dr. Willis Ware, Vice Chairman of the Federal 
Privacy Protection Study Commission, uses the 
following definitions for security. Computer secu- 
rity is the totality of measures required to (1) pro- 
tect a computer-based system, including its 
physical hardware, personnel, and data against 
deliberate or accidental damage from a defined 
threat; (2) protect the system against denial-of- 
use by its rightful owners; and (3) protect data 
and/or programs and/or system privileges 
against divulgence to or use by unauthorized per- 
sons. Data security is the safety of data from acci- 
dental or intentional but unauthorized disclosure, 
modification, or destruction. We would add to 
this definition by explicitly including the theft of 
data. 

One important aspect of data security is access 
control. Access control includes the identi- 
fication, authentication of identity, clearance, 
and “need to know” of each user who accesses 
data. 

As with integrity, most computer users have 
taken some steps to safeguard their installations, 
their data files, and so on. The question is whether 
those steps will be adequate under the demands of 
privacy legislation. 


What is the significance? 


We believe that the great bulk of business and 
government transactions are handled satisfac- 
torily; after all, organizations do continue to op- 
erate. When errors occur, they are generally 
corrected quite easily and no real harm is done. 
To the extent that this satisfactory handling of 
transactions occurs, privacy legislation would 
have relatively little effect. 

The problem is the unusual case. Unfortu- 
nately, the unusual case cannot be anticipated nor 
identified in advance, most of the time. This is not 
a question of data system design that we refer to 
but rather one of human behavior. The unusual 
transaction generally is treated in the normal 
manner—until it suddenly explodes. The trouble 
is caused by differences of opinion, differences of 
interpretation, and so on. 

Currently, it is hard to tell just how many of 
these unusual transactions occur and how much 
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harm they cause. There are few statistics on them. 
In those instances where unusual transactions 
pertaining to personal information occurred, the 
file owners might just claim them to be “errors” 
and dismiss them—even though the data subjects 
might feel that they had been harmed. 

However, should H.R. 1984 be enacted as cur- 
rently drafted (admittedly, not too likely), then 
any person who violates the provisions of the Act 
would be liable for actual damages sustained by 
the data subject, punitive damages where appro- 
priate, and court costs. Further, violations might 
be interpreted to include “insufficient” data in- 
tegrity and security. 

So, while many computer-using organizations 
may feel that their data integrity and security 
procedures are satisfactory because so many 
transactions are handled well, they may suddenly 
be confronted with law suits claiming large dam- 
ages for a relatively few unusual cases. 

If privacy legislation is enacted for the private 
sector, less than one year grace period may be 
granted before the law is enforced. In the case of 
the Privacy Act of 1974, the grace period was less 
than ten months. After the grace period, the 
threat of civil and criminal penalties comes into 
existence. 

We are not saying that the civil and criminal 
suits will become an avalanche when the privacy 
laws come into force. But they can occur. 

So the big question facing data processing man- 
agement, in connection with the integrity and 
security of personal data, is: How much is enough, 
in order to meet the spirit of the law and avoid 
lawsuits? 


‘‘How much is enough?’’ 


As mentioned, in the past the decisions on data 
integrity and security practices were completely 
up to the management of the organization. Each 
organization learned what integrity level it could 
tolerate and what security risks it could accept. 
When mistakes were made in these decisions, 
such mistakes usually led to loss of business—and 
in a small percentage of cases, to law suits. 

But such decisions in the future will have to 
consider the privacy laws. Moreover, these laws 
do not say explicitly how much data integrity and 
security are required. 

So how far should an organization go toward 
enhancing its data integrity and security prac- 


tices, so as to bring the threat of lawsuits within 
acceptable bounds? Following is a range of al- 
ternative approaches that we will discuss briefly: 

¢ Make no changes 

e “Prudent man” principle 

¢ Decision algorithms 

¢ Accreditation of the installation 

° Certification of the installation 

¢ Licensing of the installation 


Make no changes 


With this approach, management decides that 
the present data integrity and security practices 
are adequate, and that no enhancements probably 
will be needed. In fact, the resistance to enhance- 
ments might be even more strongly expressed, 
such as, “We are doing OK now, so let’s continue 
our practices; if we make a mistake, let them sue 
us; it will cost us less in the long run.” 

This appraoch obviously involves minimum ex- 
tra cost for data integrity and security. It also 
probably has minimum credibility in court, in 
case law suits are entered under the privacy laws. 

It seems to us that this is not a wise approach. 
The attitudes toward the handling of personal 
data are undergoing a change. We believe that 
most organizations (not just computer using or- 
ganizations) will have to make some changes in 
their record keeping practices, including their 
data integrity and security practices. 


“Prudent man” principle 


Under this approach, the organization makes a 
threat analysis and risk analysis concerning the 
personal data in its files. (As Willis Ware points 
out, a threat is to the data and risk is to the organi- 
zation.) It then decides which threats can be ac- 
cepted and which ones will require additional 
safeguards, in order to protect the organization 
from lawsuits. The same criteria would be used as 
might be used by a “prudent man” who is con- 
cerned about protecting his own property. 

One way of making the threat analysis and risk 
analysis is to perform a self-audit. The extensive 
AFips security checklist (Reference 3) would be 
helpful here, although it does not cover data in- 
tegrity as thoroughly as it covers security. In addi- 
tion, there are a number of other good quality 
checklists and manuals that pertain to integrity 
and security. Since there are so many and since 
we do not have space to give them adequate 
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treatment in this report, we have prepared a spe- 
cial annotated bibliography on the subject (Refer- 
ence 4). By the use of such material, an 
organization can audit its own integrity and secu- 
rity practices, to see what coverage is afforded. It 
is likely that outside sources will have to be con- 
sulted to determine the magnitude of the 
threats—but we do not have any leads to sources 
of good information on threats at this point in 
time. 

Another way of making the threat and risk 
analysis is to use an outside organization, such as 
an auditing firm, a security consulting firm, or 
such. Such a firm would probably use the same 
type of checklist mentioned above, but based on 
experience with other clients, might be able to 
point out threats and risks that the client might 
miss. Such an organization probably would report 
on what is being done and not being done, and 
might make recommendations on what should be 
added or changed. But the organization probably 
would not “certify” the data integrity or security 
practices and would probably disclaim any legal 
responsibility. 

It is at this point where the “prudent man” 
principle would be applied. Once the threats and 
the risks had been identified, the decision would 
have to be made on what to do and what not to do. 

The main shortcoming of this approach is that 
it is wide open to differences of opinion. Whether 
an outside organization is used or not, the deci- 
sions on what to do and what not to do are largely 
the opinions of a relatively small number of 
people—those making the analyses and the de- 
cisions. To what extent the courts will side with 
the “prudent man” decisions is a matter of 
conjecture. 


Decision algorithms 


We have seen this approach discussed in the lit- 
erature but have not seen instances of its use. It is 
very similar to the “prudent man” approach, ex- 
cept that formalized, quantitative methods are 
developed for making the decisions on what to do 
and what not to do. These methods will probably 
use the cost/benefit approach. 

As with the “prudent man” approach, a threat 
and risk analysis should be made, either by a self- 
audit or by using an outside organization. 

The results of this analysis would then be en- 
tered into the decision algorithms, to decide what 


should be changed in the data integrity and se- 
curity practices. 

A major shortcoming of this approach would be 
the same as for the “prudent man” approach. The 
decision of which practices should be used and 
which not used would still be a matter of the opin- 
ion of a small number of people. How much 
weight these opinions would carry in court is hard 
to say. 


Accreditation of the installation 


This approach requires that some independent 
agency develop standards for data integrity and 
security practices—although no such standards 
yet exist nor are they likely to appear in the near 
future. To be most useful, the agency should 
either represent the federal government or the 
industry-wide computer field. The agency would 
then appoint teams to inspect computer in- 
stallations and evaluate their data integrity and 
security practices relative to the standards. The 
accreditation, if issued, would imply no legal re- 
sponsibility on the part of the agency if the team 
failed to detect and report some sub-standard 
practices. 

Webb and Abbott (Reference 5) have proposed 
that an Accreditation Commission be formed, 
similar to the Joint Commission on Hospital Ac- 
creditation, either by the federal government 
or by the computer industry. This commis- 
sion would have two main responsibilities—to de- 
velop standards and to perform accreditation 
evaluations. 

Standards. The commission would supervise 
the development of a data integrity norm, say 
Webb and Abbott, consisting of general prin- 
ciples, standards that support and define these 
principles, and guidelines that explain and give 
practical examples of applying the standards. 
These standards would then represent profes- 
sionally developed and nationally applied criteria 
for data integrity. 

Brian Ruder, of Stanford Research Institute, in 
a letter to us, suggests that categories of computer 
systems/centers be established, so that standards 
can be developed that are germane to a particular 
environment. For example, there might be differ- 
ent standards for the accrediting of large and of 
small organizations. 

Accreditation. The commission would monitor 
the data integrity at computer centers by devel- 
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oping and applying a formal accreditation meth- 
odology, say Webb and Abbott. The commission 
would select groups of qualified people to visit 
data centers and make evaluations of the data in- 
tegrity practices at those centers. Such eval- 
uations could be done as frequently as daily or as 
infrequently as once every two to five years, de- 
pending upon the specific needs. Moreover, the 
evaluations could be mandatory for some sites 
and voluntary for others. Unlike certification, 
such accreditation would not imply a legal re- 
sponsibility on the part of the accrediting agency. 

In connection with accreditation, Ruder asks 
two important questions. For one thing, what 
sanctions should be imposed on those centers that 
fail to be accredited? And what motivation would 
there be for computer centers even to seek ac- 
creditation? One answer to the first question, he 
says, is that a public pronouncement may be suf- 
ficient to force the organization to seek com- 
pliance. And an answer to the second question 
may come from lawsuits claiming negligence or 
noncompliance. 

So people are thinking about the development 
of standards for data integrity (and, we should 
hope, for data security). Those standards do not 
yet exist. But the new privacy laws may well pro- 
vide the stimulus for their development. 

Also, it is quite possible that if such data integ- 
rity and security standards did exist, casualty in- 
surance companies might be willng to insure 
against civil penalty losses for accredited organi- 
zations. Question: would they be willing to insure 
in the absence of standards? And have they even 
been asked yet to provide such insurance? 

Thus, with accreditation, a new element enters 
the picture—standards which are professionally 
developed and nationally applied. The decisions 
on what integrity and security practices to use 
would then be based on the opinions of a large 
number of qualified people. It seems to us that the 
courts would attach much greater weight to such 
standards than they would to the decisions of 
“prudent men.” The courts might still rule in fa- 
vor of the plaintiffs, but it would seem less likely 
than in the case of the “prudent man” principle. 


Certification of the installation 


As with accreditation, the certification of com- 
puter centers would involve the development of 
standards. Authorized individuals or organiza- 


tions would then inspect data centers and certify 
(or fail to certify) that the centers meet the stand- 
ards. The model that might be applied here is that 
of the certified public accountants who perform 
audits of client organizations and then certify that 
the financial statements truly reflect the financial 
conditions of those organizations “‘according to 
generally accepted accounting practices.” 

One way in which certification differs from ac- 
creditation is that the certifying individual or or- 
ganization has a legal responsibility. If there is a 
failure to detect sub-standard practice, or if some- 
thing is hidden that should have been disclosed, 
the certifying individual or organization can be 
sued. Because of this legal responsibility, certifi- 
cation would generally require more time and 
would cost more than would accreditation. _ 

Some people are suggesting that the certified 
public accountants undertake the certification of 
data integrity and security, under the privacy leg- 
islation. An executive of the American Institute of 
Certified Public Accountants says that this is a 
function the cpas are not seeking; it may be 
forced upon them but they do not really want it. 
Not only is a new technology involved (which 
many CPA firms are qualified to handle by way of 
their management service division consultants) 
but also it exposes the cpa firms to additional pos- 
sible lawsuits. 

We understand that most lawsuits today against 
cpa firms are of the malpractice variety, where 
the plaintiffs claim that the certifiers failed to ap- 
ply the “generally accepted accounting prac- 
tices” properly. But we also learned that some of 
the lawsuits are directed at those generally ac- 
cepted accounting practices themselves, claiming 
that the practices are wrong or inadequate. 

So, even if standards of data integrity and secu- 
rity are developed, this is no guarantee that they 
will not be challenged in court. But we suspect 
that the courts will usually side in favor of the 
standards. 


Licensing of the installation 


One possibility for control by licensing is that 
personal data could neither be collected nor 
maintained unless the organization obtained a li- 
_ cense from the government to do so. And a license 
would be granted only if the organization agreed 
to meet standards of integrity and security. Fur- 
ther, the license could be withdrawn if violations 
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could be proved. 

Such licensing of installations is not being se- 
riously considered in the U.S., to our knowledge. 
We understand that in Sweden, however, all 
mechanized files of personal information must be 
licensed. 


Possible steps to take 


Suppose privacy legislation for the private sec- 
tor does come within the next 15 to 18 months 
(from state and/or federal laws). It is not too 
likely that data integrity and security standards 
will be developed by that time. What should an 
organization do to protect itself against lawsuits 
under the privacy laws? 

Some people may think that it is too early to 
begin such consideration. The private sector pri- 
vacy legislation may not actually materialize for 
years, and it may be greatly toned down when it 
does, based on the difficulties in the federal gov- 
ernment of complying with the Privacy Act of 
1974. 

However, we do not think it is too early to be- 
gin such consideration. It would be wise, we 
think, to at least do some preliminary thinking 
and to begin exchanging ideas with other data 
processing executives. 

One way to begin is to make a preliminary 
threat and risk analysis of the personal data in 
your files. We suspect that most of the problems 
will be related to the manually maintained 
records in the personnel department of an organi- 
zation. But for the personal information in the 
mechanized files, it is worth asking how the sub- 
ject individuals might be harmed, embarrassed, 
inconvenienced, or treated unfairly if that data 
were to be: (1) inaccurate, (2) irrelevant, (3) in- 
complete, (4) out of date, or (5) disclosed to some- 
one who is not authorized to see it (assuming that 
the restrictions imposed by the Privacy Act of 
1974 were applied to the private sector). We are 
not implying that this is an easy task; it is often 
hard to visualize what could happen and one 
tends to try to remember what has happened. But 
if a number of people start thinking about the 
problem and exchange their ideas, the threats and 
risks may start to come into focus. 

The next step would be to rank the threats and 
risks in order of priority. Where is the risk great- 
est to the organization, as a function of the 
threats, the probable effectiveness of the safe- 


guards, and the possible loss to the organization if 
a violation occurs? 

You might find that it would be possible to en- 
hance your safeguards where the risks are greatest 
by working on improvements at the same time 
other changes are being made. 

In short, we are suggesting that you consider 
following the “prudent man” approach at this 
point in time, since standards of data integrity and 
security are not yet available. You might be able 
to make significant progress at a not-great ex- 
pense. However, if you wait until the privacy leg- 
islation is passed and have to make all the changes 
during a relatively short grace period, the costs of 
the changes may be higher. We suggest such ac- 
tion for two reasons. For one thing, it seems like a 
sensible thing to do to treat personal data care- 
fully. And secondly, we believe that the odds fa- 
vor privacy legislation, at either the state or 
federal levels, being enacted in the next two years 
or so that will affect the private sector. Any steps 
that you can take ahead of time, at not-great cost, 
will save you time and money when the legisla- 
tion is finally enacted. 


Possible integrity enhancements 


Over the years, we have treated the subject of 
data integrity in a number of reports. In fact, our 
very first issue, in February 1963, was on error de- 
tection and control. So we will not attempt much 
of a discussion here but rather will mention cer- 
tain types of changes and reference our past 
reports. 

One step that we discussed in the November 
1975 report was to develop data definitions for 
personal data, for meeting the privacy require- 
ments. These definitions would include the accu- 
racy, relevance, completeness, and timeliness 
characteristics. Some day there may be nationally 
applied standards in this area. For the present, or- 
ganizations will have to rely on “prudent man” 
decisions on these characteristics. 

A next step might be the redesign of forms and 
procedures for the collecting of personal data, in 
line with the data definitions just mentioned. If it 
is apparent that some piece of data is not really 
relevant to the purposes of the organization, the 
collection of that data can be stopped. Or it may 
be evident that much more care must be taken in 
collecting (and updating) some piece of personal 
information—so that when that data is used for its 


EDP ANALYZER, APRIL 1976 


intended purposes, the individual is less likely to 
be harmed, embarrassed, or such. 

The whole process of data entry for personal 
data, including the detection, correction, and re- 
entry of erroneous items, might well be reviewed. 
We discussed data entry in our September and 
October 1971 reports. 

The internal control system that is used for per- 
sonal data could be reviewed. We treated internal 
control in our June 1967 and March 1975 reports. 

The backup and recovery system, for recov- 
ering from system failures without damaging per- 
sonal data, could be considered; we discussed this 
subject in our October 1968 and January 1972 re- 
ports. Also, the long term retention of personal 
data should be re-thought; we considered the me- 
chanics of long term retention in our July 1973 
issue. 

At the “privacy mandate” conference, spon- 
sored by the U.S. National Bureau of Standards 
and the Mitre Corporation in April 1975 (Refer- 
ence 6), some suggestions were made for improv- 
ing data integrity. One suggestion was to 
eliminate concurrent program development and 
data base accesses—since a program under devel- 
opment may inadvertently damage data in the 
data base. We have visited installations that do 
have such concurrent operations and which have 
reported no troubles of this type. But in fact, the 
threat is real and non-trivial, so the suggestion 
should be considered. Another suggestion was 
that dedicated equipment be used for particularly 
sensitive applications, both for integrity and secu- 
rity reasons. With today’s mini-computer sys- 
tems, this step may be more economically fea- 
sible, although it can play havoc with the 
integration of systems. 

Dr. Douglas Webb, of Lawrence Livermore 
Laboratories, has pointed out in a letter to us that 
previously accurate data can be changed by pro- 
grams. Hence, the question of accuracy and integ- 
rity of programs must be considered, as well as of 
data. Since one program in a multi-programming 
job stream can change another program, and the 
other program can change the data, the problem 
can become very complex to control. 

There are a number of things, then, that can be 
reviewed in the way that personal data is handled 
and stored. Any improvements that can be made, 
perhaps when other aspects of these systems are 
being changed, will make the eventual com- 


pliance with privacy laws that much easier. 


The real quality of data 


Up to this point, we have been addressing the 
subject of data integrity from a conventional 
standpoint. We have tended to pick up the subject 
where data has been recorded on source docu- 
ments, and have then considered how errors can 
be minimized in the following steps. Most of the 
error control procedures have to do with the tran- 
scription and transmission of data. 

Ivanov (Reference 7), in a doctoral thesis pre- 
pared at the University of Stockholm and Stock- 
holm Institute of Technology (Sweden), points 
out that this conventional viewpoint has a glaring 
error in it. Error does not begin with the record- 
ing on a source document, he says. The basic ques- 
tion is: how well does the data in the system 
reflect truth and reality? A conventional analysis 
of error control does not begin at the right point 
and does not consider the right questions, he says. 

The quality of data is determined by two major 
parameters, he claims—its accuracy and its preci- 
sion. Accuracy is an indicator of truth and rele- 
vance for multi-purpose usage. It is measured by 
the amount of disagreement among several inde- 
pendent methods of measurement—and more- 
over, methods that have been selected on the basis 
that they are likely to give the greatest dis- 
agreement of measurements. Accuracy is affected 
by what is not under the control of the decision 
maker who will use the data; rather, it is con- 
trolled by the environment. Also, accuracy is 
characterized by a lack of bias. 

Precision, on the other hand, is an indicator of 
the repeatability of measurements. It is the con- 
sistency (or lack of it) of one method of measure- 
ment repeated numerous times. Precision is 
affected by what is under the control of the deci- 
sion maker—his operations of measurement, 
transcribing, values of attributes, and the stability 
of his processes. Most of the conventional concern 
with error control has dealt with precision and 
true accuracy has been largely ignored, as Ivanov 
sees it. 

Humans have recognized that errors exist in 
the data that is used for decision making and have 
adopted strategies to try to get around these er- 
rors. One strategy has been to aggregate data, by 
making summaries, statistical analyses, and other 
such methods that tend to “average out” the er- 
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rors. Another strategy has been to provide “catch- 
all” categories in our classification systems, for 
the events that do not fit into the standard cate- 
gories properly. Instead of such strategies, says 
Ivanov, we should recognize quality of data for 
what it really is and strive for it. 

What does this imply? As we see Ivanov’s 
point, a piece of data in the file would have three 
elements: the value of the attribute, an estimate 
of the accuracy error, and an estimate of the pre- 
cision error. He gives some simple examples to il- 
lustrate his thinking. 

Consider “date of birth” data, says Ivanov. It is 
normally obtained from the data subject, taken at 
face value, and entered into our information sys- 
tems. But in fact, errors in “date of birth” do oc- 
cur. To get an estimate of the accuracy error, one 
might determine a statistical measure of the dis- 
crepancies where dates of birth have been in- 
vestigated. Or one might get the date-of-birth 
data on an individual from several (hopefully in- 
dependent) sources. The estimate of precision er- 
ror might be a statistical measure of data entry 
and transmission errors. Together, they would 
give a measure of confidence in the recorded 
“date of birth” data. 

The estimate of accuracy and precision may or 
may not be important, says Ivanov. It can be very 
important if a person’s life were to depend on it. 

We think Ivanov’s views are very relevant to 
privacy legislation. For instance, the Privacy Act 
of 1974 says that an agency must maintain any 
record concerning any individual with such accu- 
racy, relevance, etc., as to assure fairness in deter- 
minations of . .. rights . . . benefits, etc. (emphasis 
ours). Further, it says that each agency shall col- 
lect information to the greatest extent practicable 
from the subject individual when the information 
may result in adverse determinations about the 
individual’s rights, benefits, and privileges under 
federal programs. H.R. 1984 has very similar 
wording—collect information to the greatest ex- 
tent possible from the data subject directly. 

These privacy provisions say, in essence, “Give 
the benefit of the doubt to the data subject; take 
the data subject’s word for it.” This may not have 
been the intent of the wording—but it is, we think, 
a valid interpretation. Obtaining the information 
from just one source is almost sure to inject bias 
into the data. 

In light of the above discussion, the accuracy 


provision might be restated inthe following way: 
“Collect information from a variety of independ- 
ent sources, including the data subject, when the 
information may result in adverse determinations 
about the individual’s rights, benefits, and privi- 
leges. Moreover, these sources should be chosen 
on the basis of most likely disagreement. Then in- 
dicate the estimates of accuracy and precision for 
each data item recorded about the individual.” 

From a practical standpoint, most organiza- 
tions already do and will continue to (1) collect 
appropriate data from the data subject, (2) collect 
that data from the data subject only, and (3) ac- 
cept that data at face value (except, of course, the 
police, welfare agencies, credit bureaus, etc.). 
The reason is evident—it is usually much easier 
and less expensive than the alternatives. More- 
over, privacy legislation already has and will 
probably continue to put an “official seal of ap- 
proval” on this policy. 

But the privacy legislation also requires that 
personal data be collected and maintained with 
such accuracy (and relevance, etc.) as is necessary 
to assure fairness in determinations. As Ivanov 
sees accuracy (and we believe he has a strong 
point), the policy that has been set for collecting 
the personal information—that of collecting it 
from the individual himself, to the greatest extent 
possible—is inherently inaccurate. Thus, the legis- 
lation is probably contradictory on this point. We 
suspect that there will be court cases in the not- 
distant future that will test this contradiction. 

Interesting, isn’t it? The words of the legisla- 
tion seem reasonable at first but upon further 
study all sorts of problems arise. This is one rea- 
son, we think, why privacy legislation for the pri- 


vate sector should not be hurried but should be 
debated carefully. 


Possible security enhancements 


“We have discussed computer center security 
and data security in a number of previous reports, 
including May 1970, December 1971, January 
1972, December 1973, and January 1974. Hence 
we will not attempt any in-depth discussion 
at this point but instead will provide a brief 
overview. 

Many computer-using organizations still have 
substantial gaps in their physical and data secu- 
rity systems. When we visit installations, we are 
frequently invited to walk through the computer 
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rooms; there are no guards on the doors and any- 
one can walk in. One computer field security ex- 
pert related a test he made on this point. He 
simply walked into a computer room (at the site 
he was asked to inspect) and started looking 
around. An employee saw him, did not recognize 
him, and following instructions, she asked him to 
identify himself. He refused to do so. She asked 
him if he belonged there. He said no. She told him 
he would have to leave. He refused. She pleaded. 
He said he would leave if he could have one of the 
magnetic tapes. She said he could have anything 
in the place, if he would only leave. His con- 
clusion: inadequate security. 

As we have discussed in previous issues, there 
are a number of steps that organizations can take 
to inhibit the accidental or deliberate destruction 
or damage of the physical installation, or the theft 
of storage media, printouts, etc. The techniques 
of physical security are well within the state of 
the art. 

On the other hand, effective access control in 
multi-access systems is not within the state of the 
art. A basic premise of most of the workers in the 
field of data security is: if data is on-line to the 
computer, it can be accessed by a skilled pene- 
trator working at a terminal attached to that com- 
puter. All serious penetration efforts have been 
successful, we have been told by these people. At 
the same time, some new operating systems—such 
as IBM’s vs2/Release 2, TENEx, and MULTICs, do 
in fact offer higher levels of security than pre- 
vious commercial operating systems. While more 
secure than previous operating systems, we 
gather that they are still not impenetrable for 
skilled people. 

James P. Anderson, a consultant in computer 
technology, pointed out to us that the success of 
the military information security system stems 
from the nearly 40 years of experience with it. 
One feature of this system is the use of sensitivity 
levels (confidential, secret, top secret), with stand- 
ards for handling each level, both manually and in 
computer systems. So far, privacy legislation has 
not identified levels of sensitivity for personal 
data. 

The policies of the U.S. Air Force, related to 
the multi-level security problem, are discussed in 
Reference 8. There are two basic policies. If jobs 
with more than one security level are run simulta- 
neously on a multi-access computer system, one 


approach is to clear all users, terminals, commu- 
nications lines, etc., for the highest security level. 
If some top secret work is being processed, this 
means that even users with unclassified work 
would have to be cleared and operate under the 
conditions of top secret work. The other ap- 
proach is to process one security level at a time— 
run all of the unclassified work, then all of the se- 
cret work, etc. Moreover, before changing to a 
different security level, all memory devices would 
have to be cleared—internal memory, disk units 
attached, magnetic tapes attached, even printer 
ribbons. This so-called “color changing” can con- 
sume 20 to 40 minutes, it is reported. 

As with physical security, we gather that most 
users of multi-access computer systems may be 
unaware of how little data security they really 
have. If data is on-line to the computer, you must 
assume that it can be accessed by any program— 
either from batch programs or from on-line ter- 
minals, it makes no difference. If you do not want 
the data disclosed, do not keep it on-line to the 
computer. Make it available to the computer only 
when it is the only work being processed and all 
other programs are disconnected. At the con- 
clusion of the work, go through a “color change” 
routine to wipe out all traces of the work. 

If that sounds inconvenient, that is the way it is. 
If you do not take this precaution, you are run- 
ning a real risk of disclosure of the data, assuming 
that someone else wants to see that data. 

Well, you say, what about encryption? Why 
don't we encrypt the data we want to protect, 
both during transmission and in storage? Then if 
someone accesses it, they won't be able to under- 
stand it. 


Should you use data encryption? 


Following our January 1974 issue, in which we 
discussed data encryption briefly, we decided to 
do a complete issue on the subject. It sounded like 
a practical method to enhance data security. So 
we talked to a number of people, wrote lots of let- 
ters, collected a fair amount of literature—and 
then decided to forget the idea of a complete issue 
on data encryption. 

What was the problem? First, we encountered 
a good number of conflicting claims about how se- 
cure a given encryption method or device might 
be. Secondly, there was no ultimate source of 
good information available to us—for instance, 
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the U.S. National Security Agency. Thirdly, there 
was no way for us to analyze and evaluate the 
conflicting claims. 

So instead of a complete issue on this subject, 
we will give a summary of our findings. Data en- 
cryption (for both transmission and storage) can 
be an important security measure for the protec- 
tion of data—and, in today’s environment, that in- 
cludes personal data. 

We see the status of data encryption as follows. 
First, there are a number of commercial data en- 
cryption/decryption hardware devices on the 
market. In addition, there are a number of soft- 
ware encryption methods in use, some by com- 
mercial timesharing companies. Also, we have 
seen critical comments about the effectiveness of 
some of these commercial offerings, comments 
that we are in no position to evaluate. Finally, the 
U.S. National Bureau of Standards has proposed 
one method for adoption as a federal standard. 
Should this adoption occur, this method probably 
would become the “standard” method through- 
out the computer field in relatively short order. 


How good are commercial encryption devices? 


James P. Anderson, of Fort Washington, Penn- 
sylvania, heads a company that does consulting in 
computer technology. A fair amount of his work 
is in the area of data security and encryption. He 
performed one study for the U.S. Air Force (a 
copy of the report of which was given us by the 
Air Force) on how commercial encryption de- 
vices might be used in a multi-security-level oper- 
ating environment. In this environment, it is 
desired to run multiple security levels of work 
simultaneously, ranging from unclassified to top 
secret. The unprotected terminals and commu- 
nications lines, used for unclassified work, provide 
an entry means for the penetrator. Once entry is 
gained, system software changes can be made to 
make future entries easy. This study explored the 
idea of using hardware encryption devices for all 
communications. If the penetrator could not 
properly encrypt his messages, the messages 
would be rejected by the computer and he could 
not gain entry. 

Anderson studied the idea of using relatively 
inexpensive commercial encryption devices to 
provide this protection. In general, these devices 
have a set of switches which are set by the user; 
from the setting of these switches, called a user 
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“key, a pseudo-random binary stream is gener- 
ated. This binary stream is added to the message 
text to produce cipher text. Advertising literature 
for such devices tells how many billions of differ- 
ent possible binary strings can be used, with the 
implication that an exhaustive search is needed to 
find the right binary string to decode a message. 

Anderson assumed that a very fast processor 
would be available for making such an exhaustive 
search, one that could make up to 5,000 tests per 
second. Further, he assumed that the key would 
be changed once a day. Further, he assumed the 
need for a very low probability (one chance in a 
million) that in one day’s time, the key could be 
broken by such a search. 

He pointed out that the log-on routine is gener- 
ally quite stereotyped and provides an excellent 
sample of matched plain text and cipher text for 
the penetrator. The penetrator (via his computer) 
would continue to try different keys until a legiti- 
mate log-on message resulted. 

The details about the commercial devices are 
not released by their suppliers. Anderson had to 
rely on the information that was released plus dis- 
cussions with supplier personnel. 

He concluded that one popular device pro- 
vided a probability of penetration of only one in 
one thousand, far short of the goal of one in a mil- 
lion. Another gave a probability of one in 25,000. 
Another looked like it would meet the one in a 
million goal, based on some assumptions about 
the method used. 

In short, he could not be optimistic about the 
use of these three commercial devices in the envi- 
ronment which he assumed. However, it would 
seem that personal data would not need the same 
degree of protection as would top secret military 
data. A greater risk might be tolerated in the case 
of personal data. 

However, Baker (Reference 9) points out that 
low quality encryption devices may, in fact, de- 
grade security. They call attention to sensitive 
data but provide inadequate protection from a 
skilled cryptanalyst. Furthermore, he says, they 
give a false sense of security and may lead to the 
sending of sensitive information that otherwise 
would not be sent. If data is worth encrypting, it is 
worth encrypting well, says Baker. 

What are the problems with these low quality 
devices? Baker lists several. For one thing, a pene- 
trator may be able to obtain one of the encryption 
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devices, inspect its wiring, and analyze the binary 
stream that such a unit produces. Then the pene- 
trator may be able to tell when a code setting is 
“almost right” by the way the cipher stream be- 
haves. Further, such devices may generate re- 
peated sequences of the binary stream which 
might be detected by cryptanalysis methods. 

“In this same line of thinking, Bryant Tucker- 
man of IBM has demonstrated that the popular 
Vigenere-Vernam ciphers are far weaker than 
even a skilled amateur at cryptanalysis might 
think. 

We conclude from these studies that it is liter- 
ally impossible for the lay person to evaluate en- 
cryption devices. Simply claiming that the 
devices may use billions of different keys is not 
sufficient. We also wonder, who is the expert in 
this field? Just because Expert A claims that an en- 
cryption method cannot be broken in less than 
some stated amount of work does not guarantee 
that Expert B cannot break it relatively easily. 

So, it seems to us, it ends up as a matter of trust. 
Who do you trust? And how does the lay person 
evaluate the experts and make a decision on who 
to trust? That seems to be every bit as difficult as 
evaluating encryption devices. 

Which leads us to a discussion of the federal 
data encryption standard. 


A federal data encryption standard algorithm 


The method (algorithm) that has been pro- 
posed as a federal data encryption standard was 
developed by IBM and submitted to the National 
Bureau of Standards for consideration as a federal 
information processing standard. Several patents 
are involved in the implementation of the al- 
gorithm. IBM offered to release any of its patents 
to the extent they must be used in complying with 
the standard if the method is adopted as a federal 
standard by September 1, 1976. IBM has agreed 


to make available royalty-free, non-exclusive li- 


-censes in accordance with this offer. 


The method is known; it is described in detail in 
publicly available literature. Security of the data 
protected by using the algorithm is based on the 
security of a key. The concept is identical to 
keyed and combination physical locks. You may 
know how they work but if you do not have the 
key or the combination, it is very difficult to open 
the locks. 


The method uses a block structure rather than a 
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string structure. The popular string approach 
generates a long sequence of random numbers 
and adds it, number by number, to the plain text 
to obtain cipher text. A message of cipher text 
must therefore be deciphered by starting at the 
beginning of the message. 

With the IBM block approach, the algorithm 
operates on message-blocks of 64 bits, producing 
cipher-blocks of the same length. The user- 
selected key also has 64 bits, 8 of which are used 
for parity checking. The encryption of a block 
consists of an initial (input) permuation of the 64 
bits, then 16 iterations of a key-dependent calcu- 
lation to be described, and then a final (output) 
permutation. 

Each of the 16 iterations consists of the follow- 
ing steps. First, 32 bits—that is, one half of an in- 
termediate message (which is either the permuted 
input or the result of the preceding iteration)—are 
expanded to 48 bits by duplicating half of them. 
These 48 bits are then exclusive-OR-ed with 48 
bits selected from the key; the selection is differ- 
ent for each iteration. The resulting 48 bits are 
broken into 8 groups of 6 bits. Each of these 
groups of 6 bits is subjected to a different non- 
linear function which yields a group of 4 bits, for a 
total of 32 bits. These 32 bits are then subjected to 
a permutation, which mixes the groups, and are 
then exclusive-OR-ed with the other half of the 
intermediate message. The two halves are then 
interchanged, except on the last iteration. 

Decryption consists of the same steps, except 
that the sixteen 48-bit selections from the key are 
used in the reverse order. 

The protection and security of the key is vital. 
If the key gets lost, for all practical purposes the 
data will be lost. 

To try to find the 64-bit key by exhaustive 
search might be a tremendous undertaking. We 
were given one estimate of approximately 10° 
complete tests to effect the compromise of a 
single key. The U.S. National Security Agency 
was consulted by NBS on the effectiveness of this 


algorithm and, we were told, agreed that it was 


very effective. As we say, the question is: who do 
you trust? A layman cannot evaluate the effec- 
tiveness of the method. 

We understand that the algorithm, when im- 
plemented by software, requires a lot of CPU cy- 
cles. One implementation requires one-half 
second of processing time per 64-bit block on a 
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PDP-11, we were told. By refinements, the proc- 
essing time might be cut to 50 to 100 milliseconds 
per block. When the algorithm is implemented 
via LSI chips (hardware), the processing time per 
block is 20 to 50 microseconds. So it is likely that 
most implementations will be in hardware, for 
which IBM has agreed to grant royalty-free, non- 
exclusive licenses. 

Our opinion is that the method will become a 
federal standard and will be adopted as an ad hoc 
standard in the private sector. 


To use encryption or not? 


The decision to use data encryption is not a triv- 
ial one. There can be a lot of complications, both 
technical and social. We will briefly touch on 
some uncovered in our study. 

Key handling. The same key must be used for 
both encryption and decryption. With an effec- 
tive algorithm, if the decryption key differs from 
the encryption key by only one bit, the message 
text cannot be recoverd. For data transmission 
uses, the distribution, storage, and protection of 
keys will pose all sorts of problems; they can be 
lost, stolen, copied, may not arrive on time, and so 
on. Keys should be changed periodically, but this 
raises questions of what to do about encrypted 
data in storage. Must all encrypted data be re- 
trieved, decrypted with the old key, encrypted 
with the new key, and then stored? Further, if 
keys are stored in the computer in software form, 
skilled penetrators can gain access to them and 
security will be compromised. 

Cost/effectivenss. Friedman and Hoffman (Ref- 
erence 12) have analyzed processing time re- 
quirements for a number of encryption methods 
implemented by software. The costs of encryp- 
tion/decryption are real and must be applied to 
the processing costs for all sensitve data. 

James Anderson, in a comment to us about soft- 
ware implementations methods, says that such 
methods are of value only in protecting data on 
removable media from being read if the media it- 
self is stolen. Since skilled penetrators can get 
through all of today’s operating systems, they can 
capture the cipher keys stored in memory. 

We believe that, from a cost/effectiveness 
standpoint, only the hardware encryption/de- 
cryption methods will stand up. Further, we are 
assuming the use of something like the IBM 
method, implemented in hardware. 
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Data transmission. As indicated above, it may 
be necessary to encrypt all transmissions to and 
from remote terminals, to prevent penetrators 
from gaining any entry into the system. Data 
transmission must then be in the transparent 
protocol, so that encrypted characters will not be 
interpreted as data transmission control charac- 
ters. On the other hand, if not all transmissions are 
encrypted, the processors will have to route some 
of the data stream to decryption devices while the 
rest need not be so diverted. 

Social problems. Cogar (Reference 13) argues 
that the use of encryption involves a risk that so- 
ciety may find unacceptable. Encryption makes it 
harder for the thief to rob you, he says, but it also 
makes it harder for you to know that you have 
been robbed. He also questions whether it is wise, 
from a societal standpoint, to allow members of 
society to decide which data (and telephone con- 
versations, etc.) will be encrypted. What if all of 
the underworld communications were encrypted, 
he asks? Can society afford not being able to know 
what is going on inside the information systems? 


integrity and security of personal data 


If we can generalize about past practices, the 
following seems to have been the situation as far 
as integrity and security of personal data are con- 
cerned. In both the private and public sectors, 
only limited attention has been given to data in- 
tegrity. Generally, each data item is obtained 
from one source and accepted at face value. Most 
personal data has been collected from the data 
subjects themselves. Other (different) data may be 
collected from third parties, such as credit bu- 
reaus, investigatory agencies, and so on. There has 
been no convenient way to carry different values 
for one data item, collected from different 
sources, or to handle those different values even if 
they were carried. Most organizations do want 
and need accurate, complete, and timely data for 
the efficient conduct of their business. They do 
tend to collect more data than they really need, 
and they do tend to tolerate a certain level of er- 
ror in the source data. Most efforts on data integ- 
rity have dealt with detecting and correcting 
errors in data movement and transcription. 

As far as data security is concerned, national 
security data has been subject to quite rigorous 
controls, including security clearances and need- 
to-know authorizations. (There still have been 
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major violations, such as the famous Pentagon Pa- 
pers case. Also, government agencies have used 
security as a shield for keeping possibly embar- 
rassing information from the public eye, now 
made more difficult under the Freedom of Infor- 
mation Act.) In the private sector, really sensitive 
data has usually been kept in manual files, often 
under lock and key. “Normal” data has not been — 
particularly safeguarded, probably because of the 
feeling that there would be no great loss if it were 
damaged or disclosed. 

But with the arrival of privacy legislation, this 
picture is changing for personal data. U.S. federal 
agencies are already subject to a privacy law, and 
other legislation has been passed or is under con- 
sideration for state and local government units as 
well as the private sector. These laws will demand 
much more concern for the integrity and security 
of personal data. 

As far as integrity is concerned, we believe that 
the privacy aspects of personal data will have to 
be carefully defined, as we discussed in our No- 
vember 1975 report. The accuracy, completeness, 
relevance, and timeliness of the data must be 
carefully defined. Procedures must then be set up 
and enforced to see that those data definitions are 
met. 

We suspect, too, that the question of the basic 
accuracy and precision of personal data will have 
to be considered, perhaps along the lines pro- 
posed by Ivanov. This could prove to be a very 
difficult problem area. 

As far as security is concerned, organizations 
will have to make sure that their physical security 
systems adequately protect personal data. (Ques- 
tion: how much is adequate?) Data security will 
continue to be a major problem area for some 
years to come. If you have any personal data in 
on-line files, you must assume that it can be ac- 
cessed by any program in the computer. It seems 
to us that an organization subject to privacy laws 
that adopts a “no need to change anything” pol- 
icy for data security is taking a dangerous course. 
None of today’s operating systems provide any 
real security. If it can be proved that unauthor- 
ized disclosure of personal data did occur, and 
that it could have occurred via the computer, 
then civil and perhaps criminal penalties might 
be imposed if the “make no change” policy had 
been followed. 

The encryption of sensitive personal data is one 
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security mechanism that could be used. But, as we 
have pointed out, encryption brings with it some 
real problems. About all we can say is, if you 
choose this course, keep as much sensitive per- 


sonal information out of your mechanized sys- 
tems as possible and use just as good an 
encryption scheme as you can get. 
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One of the interesting phenomena of recent years in the computer field 
has been the growth in popularity of the aPL programming language. In- 
teresting because one of its big growth areas has been in business, in sup- 
port of management problem solving and decision making. But just how 
are decision makers using ap and other decision support systems to help 
them make decisions? We discuss this question next month and report on 
some recent research studies of these types of systems and their use in 


business environments. 
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